Snowflake

This topic describes how to connect the Snowflake application to the PrivaceraCloud using the AWS and Azure platforms.

Prerequisites

Before connecting Snowflake application to PrivaceraCloud, you must first manually create the Snowflake warehouse, database, users, and roles required by PolicySync. For more information, see Snowflake Configuration for PolicySync.

Connect Application

1. Go the Setting > Applications.

2. In the Applications screen, select Snowflake.

3. Select the platform type (AWS or Azure) on which you want to configure the Snowflake application.

4. Enter the application Name and Description, and then click Save.

   You can see Access Management and Data Discovery with toggle buttons.

   Note

   If you don't see Data Discovery in your application, enable it in Settings > Account > Discovery. For more information, see Discovery.

   Enable Access Management

5. Click the toggle button to enable the Access Management for your application.

6. In the BASIC tab, enter the values in the given fields and click Save. For property details and description, see table below:

   Note

   Make sure that the other properties are advanced and should be modified in consultation with Privacera.

   Property	Description	Example
   Service name	Policy Sync connector name used while configuration Policy Sync connector for Snowflake service.	Service name: Snowflake
   Service JDBC URL	JDBC URL connection required for connecting to Snowflake repository.	Service JDBC URL: "jdbc:snowflake://testsnowflake.prod.us-west-2.aws.snowflakecomputing.com"
   Service JDBC Username	The master/admin database user used by the Policy Sync process, for performing all database activities and applying the permissions on entities. Process includes User/Role/Group creation process, Access policies, Masking and RLF policies and for retrieving Access Audits.	Service JDBC Username: PRIVACERA_SYNC
   Service JDBC Password	Password used while creating the database user	Service JDBC Password: ####
   Service database name	This database is used for creating the master connection to the Snowflake service.	Service database name: privacera_db
   Service warehouse name	Warehouse which will be used by Policy Sync	Service warehouse name: "PRIVACERA_POLICYSYNC_WH"
   Service managed global list	This is used for access control of global policies like createDB , create WH. But can be skipped if not required.	Service managed global list: none
   Manage database list Manage schema list Manage view list	These three properties follow the same format. Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be naged by PrivaceraCloud. If left blank, all targets {databases, schemas, users} in the repository are managed. If set to none, no databases is managed. Accepts single name or multiple names separated by commas. Regular expressions (Regex) can be used. (E.g. _xx will match to names company_xx, products_xx, and so on. Formats: Database list format: database Schema list format: database.schema Table list format: database.schema.table View list format: database.schema.view	Manage database list: privdb Manage schema list: privdb.saasdb Manage table list: privdb.saasdb. Manage view list: privdb.saasdb.
   Manage user list Manage groups list Manage roles list	These three properties follow the same format. For each: Specify a list of zero or more names of databases, list of schemas, list of users, or list of views to be PrivaceraCloud managed. If left blank, all targets {databases, schemas, users} in the repository will be managed. Accepts single name or multiple names with comma separation. Regular expressionscan be used; for example, xx matches names company_xx or products_xx.	Manage user list: privuser* Manage groups list: priv1,priv2 Manage roles list: privrole
   Create service user	This property allows the creation of new users during policy synchronization.	Create service user: true
   Service new user password	The password value to be assigned to any new user created during policy synchronization. Every default new user is assigned this password.	Service new user password: welcome1
   Manage service user, group, or role	This property manages service users, groups, and roleis.	Manage service user / group / role: true
   Ignore user list	Data access user ignore list. Comma-separated names of data access users to be ignored (non-managed) by PrivaceraCloud. This list is seeded with the list of standard data access service and administrator user names normally created by PrivaceraCloud for each account. It can be edited or augmented with additional site-specific names to be excluded from PrivaceraCloud control.	Ignore user list: "admin,rangerusersync,keyadmin,rangertagsync,hive,s3, dynamodb,athena,glue,redshift,kinesis,lambda,mssql, adls,postgres,kafka,snowflake,powerbi,padmin"
   Prefix for User, Role, or Group	A string value to be prefixed to Users, Roles, or Groups that are auto-created during synchronization. If empty no prefix will be added.	User role prefix: "pc_user" Group role prefix: "pc_role_" Role role prefix: "pc_group_"
   Perform grant updates	Enable/Disable Perform Grant and Revokes. If set to true, all grants will be executed. If false - grant updates will be dry-run and not actually executed.	Perform grant updates: true

7. In the ADVANCED tab, you can add custom properties.

8. Using the IMPORT PROPERTIES button, you can browse and import application properties.

Enable Data Discovery

Click the toggle button to enable the Data Discovery for your application.

1. In the BASIC tab, enter values in the following fields.

   • JDBC URL
   • JDBC Username 
   • JDBC Password

2. In the ADVANCED tab, you can add custom properties.

3. Using the IMPORT PROPERTIES button, you can browse and import application properties.

4. Click the TEST CONNECTION button to check if the connection is successful, and then click Save.

Add Data Source

To add a resources using this connection as Discovery targets, see Discovery Scan Targets.

---

Last update: March 22, 2022